| Commit message (Collapse) | Author | Age |
|\
| |
| | |
spec: modprobe fuse with --device .*/fuse
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the container uses the /dev/fuse device, attempt to load the fuse
kernel module first so that nested containers can use it.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1872240
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \
| | |
| | | |
remote: fix name and ID collisions of containers and pods
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fix the look up of containers and pods in the remote client. User input
can refer to both, names or IDs of containers and pods, so there is a
fair chance of collisions (e.g., "c1" name with a "c1...." ID).
Those collisions are well handled (and battle tested) in the local
client which is directly using the libpod backend. Hence, the remote
client should not attempt to introduce its own logic to prevent bugs and
divergence between the local and the remote clients. To prevent
collisions such as in #7837, do a container/pod inspect on the
user-provided input to find the corresponding ID and eventually do full
ID comparisons to avoid potential collisions with names.
Note that this has a cost that I am not entirely happy with. Looking at
issue #7837, the collisions are happening when removing the two
containers. Remote container removal is now very chatty with the server
as it first queries for all containers, then iterates over the provided
names or IDs and does a remote inspect to figure out the IDs and find a
matching container object. However, remote removal could just pass the
names and IDs directly to the batch removal endpoint. Querying for all
containers could be prevented if the batch removal endpoint would remove
all if the slice is empty.
In other words, the bug is fixed but there's room for performance
improvements.
Fixes: #7837
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \ \
| | | |
| | | | |
Fix for incorrect evaluation of error condition within libpod.LabelVolumePath.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
A reading of LabelVolumePath suggests that the intended behavior
upon encountering ENOTSUP is to log the issue and continue without
error, while all other errors in the Relabeling operation should
be considered errors of LabelVolumePath and passed up accordingly.
This is not the behavior that is encountered, as this test shows:
it is instead considered an error if and only if the Relabeling
operation returns ENOTSUP, spitting out a somewhat incongruous
error message, while all other error types that may be returned
are logged without being propogated, with an even more incongruous
error message saying that the operation was not supported.
The comparison was changed to match the behavior documented by the
log messages, and a test was added that will simulate executing
this function on a path where the mounted filesystem does not
support SELinux labels, with the assertion that the function should
not return an error in order to highlight the condition these
changes seek to alleviate.
Signed-off-by: Peter <peter@psanders.me>
|
|\ \ \ \
| | | | |
| | | | | |
Migrate container images to automation_images
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Add X-Registry-Config support
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
* Refactor auth pkg to support X-Registry-Config
* Refactor build endpoint to support X-Registry-Config. Supports:
* --creds
* --authfile
* Added X-Reference-Id Header to http.Request to support log event
correlation
* Log headers from http.Request
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \ \ \ \ \
| |_|_|_|_|/
|/| | | | | |
fix compat api privileged and entrypoint code
|
| | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
when adding /dev to a privileged container using the compatibility API, we need to make sure we dont pass on devices that are simply symlinks. this was already being done by specgen but not on the compat. side.
the entrypoint code that was recently rewritten for the compatibility layer was also failing due to the odd inputs that docker is willing to accept in its json, specifically [] vs "". in the case of the latter, this was being made into a []string with a len of one but no content. this would then be used to prefix the command to run in the container and would fail. For example " ls" vs "ls".
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \ \
| | | | | |
| | | | | | |
system test: untag all test
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Extend the system tests to test `podman untag $image` without further
arguments to force removing all tags from the image.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Add additionalGIDs from users in rootless mode
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
There is a risk here, that if the GID does not exists
within the User Namespace the container will fail to start.
This is only likely to happen in HPC Envioronments, and I think
we should add a field to disable it for this environment,
Added a FIXME for this issue.
We currently have this problem with running a rootfull container within
a user namespace, it will fail if the GID is not available.
I looked at potentially checking the usernamespace that you are assigned
to, but I believe this will be very difficult to code up and to figure out.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
Podman containers/pods prune should throw an error if user adds args
|
| | |_|/ / / /
| |/| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
We are not currently checking if a user accidently adds an argument to
all podman * prune commands.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
[CI:DOCS] Update rootless_tutorial.md
|
| | |_|/ / / /
| |/| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
add clarifications in persistently setting unprivileged ping permissions
Signed-off-by: fuzxi <opuspam@posteo.de>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \ \ \
| |_|/ / / / /
|/| | | | | | |
misc fixes for f33 integration tests
|
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
some small fixes for testing on fedora 33 (non-btrfs)
Signed-off-by: baude <bbaude@redhat.com>
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
fix allowing inspect manifest of non-local image
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Add support of `podman manifest inspect` returning manifest list of non-local manifest.
Close #https://github.com/containers/podman/issues/7726
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | | |
Fix some flakes in the e2e network tests.
|
| | |_|/ / / / /
| |/| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
The network test created config files with random filenames
but the network name was static. Since the tests can run in
parallel podman was not able to distinguish the networks.
We need to make sure that each test has its own config file
and network name. This helps to prevent unnecessary flakes.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
|
|\ \ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | | |
Attempt to test all Broken SkipIfRootless FIXME
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \ \ \ \ \
| |_|_|_|_|/ / / /
|/| | | | | | | | |
Volume prune should not pass down the force flag
|
| | |/ / / / / /
| |/| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
podman volume prune -f
Should just tell the prune command to not prompt for confirmation.
It should not be passing the prune flag into the API.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \ \ \ \
| |/ / / / / / /
|/| | | | | | | |
[apiv2] don't ignore the ENV and WorkDir from the image
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
|
|\ \ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | | |
Fix two e2e tests
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
The systemd test was inaccurately being skipped when a userns env. var.
flag was set. At best this is confusing to new developers, and at worse
it actively blocks an otherwise legitimate class of tests. Improve the
accuracy of skip-logic by adding/using a purpose built set of
functions.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Test passes on Fedora because the registry server is one of the
defaults. However it is not typically configured on Ubuntu hosts, and
therefor this test can fail. While specifying the FQIN in the
dockerfile text is not an ideal solution, it cannot negatively
affect other tests which utilize `podmanTest.BuildImage`.
Signed-off-by: Chris Evich <cevich@redhat.com>
|
|\ \ \ \ \ \ \ \ \
| |_|_|_|_|_|_|_|/
|/| | | | | | | | |
Support --http-proxy for remote builds
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
* Fix misspelled parameter
* add http-proxy support for builds
http_proxy must be set in the podman.service unit file, for example
Environment=http_proxy=<value>
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|
|\ \ \ \ \ \ \ \ \
| |/ / / / / / / /
|/| | | | | | | | |
image look up: consult registries.conf
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
When looking up local images, take the unqualified-serach registries of
the registries.conf into account (on top of "localhost/").
Also extend the integration tests to prevent future regressions.
Fixes: #6381
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
| |/ / / / / / /
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
The registries package should be retired. It was introduced as an
easier to use wrapper around c/image `sysregistries` which has been
replaced by `sysregistriesv2` a long while ago.
Users should either use the `sysregistriesv2` package directly or, even
better, we cache the config in libpod's image runtime to prevent
redundant (and ~expensive) parsing of the registries.conf files.
For now, just add a note in hope we'll not forgert about it when we find
time in the future.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
|
|\ \ \ \ \ \ \ \
| |_|_|_|_|/ / /
|/| | | | | | | |
Don't disable Go modules when generating varlink
|
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
From a fresh install of Fedora 33 Beta and a fresh clone of the repo, `make` fails with the following error when Go modules are disabled:
# Only generate the varlink code on Linux (see issue #4814).
GO111MODULE=off go generate ./pkg/varlink/...
../../vendor/github.com/varlink/go/cmd/varlink-go-interface-generator/main.go:12:2: cannot find package "github.com/varlink/go/varlink/idl" in any of:
/usr/lib/golang/src/github.com/varlink/go/varlink/idl (from $GOROOT)
/home/test/src/podman/_output/src/github.com/varlink/go/varlink/idl (from $GOPATH)
pkg/varlink/generate.go:3: running "go": exit status 1
make: *** [Makefile:646: pkg/varlink/iopodman.go] Error 1
Signed-off-by: Jordan Christiansen <xordspar0@gmail.com>
|
|\ \ \ \ \ \ \ \
| |_|_|_|_|/ / /
|/| | | | | | | |
Use local image if input image is a manifest list
|
| | |_|_|_|/ /
| |/| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
If run&create image returns error: image contains manifest list, not a runnable image, find the local image that has digest matching the digest from the list and use the image from local storage for the command.
Signed-off-by: Qi Wang <qiwan@redhat.com>
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
capabilities: always set ambient and inheritable
|
| |/ / / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
change capabilities handling to reflect what docker does.
Bounding: set to caplist
Inheritable: set to caplist
Effective: if uid != 0 then clear; else set to caplist
Permitted: if uid != 0 then clear; else set to caplist
Ambient: clear
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
Make the e2e test network cleanup more robust.
|
| | |_|_|_|/ /
| |/| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
We need to handle removal of non existing network.
This allows the `removeCNINetwork` function
always to be called. This is needed by tests which are trying
to remove the network manually in order to prevent flakes.
Fixes #7809
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
|\ \ \ \ \ \ \
| |_|_|_|/ / /
|/| | | | | | |
Refactor IdleTracker to handle StateIdle transitions
|
| | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
* Remove stutter naming for package and types
* Stop treating StateIdle the same as StateClosed, rather transitions to
StateIdle will keep API timeout window open
* Remove redundate code
Fixes #7826
Signed-off-by: Jhon Honce <jhonce@redhat.com>
|